[Tigzy]

Hello

Does anybody have information about that Table? This is only for GUI functions?
My aim is to hook the sending of WM_Xxx messages. Is this possible with that kind of hooks? Wich API I need to hook?

[GamingMasteR]

NtUserMessageCall
NtUserPostThreadMessage
NtUserPostMessage
NtUserSendInput

Not sure what else ...
Check what games protection systems used to hook in SSDTS

[Tigzy]

Check what games protection systems used to hook in SSDTS

Sorry, I'm afraid I don't understand what you meant. :roll:
I'm not aware of the technical protections of games...

I need to understand what the main differences between SSDT and Shadow SSDT are, to know how to hook it.
For SSDT , I use an UL app wich sends the index of the IAT table to my driver, which convert it into SSDT adresses.

How does the hooks for the Shadow one works?

[EP_X0FF]

I need to understand what the main differences between SSDT and Shadow SSDT are, to know how to hook it.

It is GUI subsystem (GDI/USER) kernel routines.
If you don't know what is it - it is better to not hook.
And it is better to not use any kind of hooks at all (maybe except usermode).

For SSDT , I use an UL app wich sends the index of the IAT table to my driver, which convert it into SSDT adresses.

OMG, really OMG if I get it right. All you need few lines of code to extract index in user mode.

something like that

[syntax="c"]ULONG GetSdtEntryNumber(IN PCSTR lpProcName)
{
PUCHAR pProc = GetProcAddress(GetModuleHandle("ntdll.dll"), lpProcName);
if (pProc) return *(PULONG)(pProc + 1);
return 0;
}[/syntax]

or

http://www.kernelmode.info/forum/viewto ... f=10&t=779

Shadow services are not directly exported by user/gdi dlls - the simplest way here is to hardcode their indexes.

Thread moved.

[Tigzy]

OMG, really OMG if I get it right. All you need few lines of code to extract index in user mode.

something like that

Your code is exactly what I've done.
GetProcAdress on a dll get an index from IAT, right?

-----

Code: Select all

Shadow services are not directly exported by user/gdi dlls - the simplest way here is to hardcode their indexes.

Well, you confirm my fears... :|

If you don't know what is it - it is better to not hook.
And it is better to not use any kind of hooks at all (maybe except usermode).

We are here to learn, isn't it? Well, maybe more me than you :D
Any paper or else about Shadow SSDT?

EDIT: Newbie is a better place for this... :lol:

[EP_X0FF]

Any paper or else about Shadow SSDT?

What do you want to know?

[Tigzy]

What do you want to know?

As I only found chinese website about this, all you have would be great.

[EP_X0FF]

Google for "Windows 2000 source code", download torrent and enjoy looking for ntuser stuff.

Internal routines have been changed since 2000 and these sources are incomplete, but overall this source will shred some lights - "how does it works".

Of course it's illegal, but nobody cares.

[Tigzy]

Google for "Windows 2000 source code", download torrent and enjoy looking for ntuser stuff.

That's really exists? :D
Will have a look. If you have further informations (targeting only Shadow SSDT) let me know

[EP_X0FF]

That's really exists? :D

I doubt you can find more detailed explanations than directly in sources (also comments with "fcuk", "shit" from developers included).